User: starksm
Date: 01/07/09 01:49:37
Modified: src/main/org/jboss/security/auth/spi Tag: Branch_2_4
LdapLoginModule.java
UsernamePasswordLoginModule.java
Added: src/main/org/jboss/security/auth/spi Tag: Branch_2_4
AnonLoginModule.java
Log:
Add support for authenticating anonymous users(username, password == null)
at the UsernamePasswordLoginModule level and update JaasSecurityManager to
provide a callerPrincipal for the case of a null principal.
Revision Changes Path
No revision
No revision
1.1.4.1 +220 -258
jbosssx/src/main/org/jboss/security/auth/spi/LdapLoginModule.java
Index: LdapLoginModule.java
===================================================================
RCS file:
/cvsroot/jboss/jbosssx/src/main/org/jboss/security/auth/spi/LdapLoginModule.java,v
retrieving revision 1.1
retrieving revision 1.1.4.1
diff -u -r1.1 -r1.1.4.1
--- LdapLoginModule.java 2001/04/11 02:04:21 1.1
+++ LdapLoginModule.java 2001/07/09 08:49:37 1.1.4.1
@@ -1,258 +1,220 @@
-/*
- * JBoss, the OpenSource EJB server
- *
- * Distributable under LGPL license.
- * See terms of license at gnu.org.
- */
-package org.jboss.security.auth.spi;
-
-import java.security.Principal;
-import java.security.acl.Group;
-import java.util.ArrayList;
-import java.util.Iterator;
-import java.util.Map;
-import java.util.Map.Entry;
-import java.util.Properties;
-import javax.naming.Context;
-import javax.naming.NamingEnumeration;
-import javax.naming.NamingException;
-import javax.naming.directory.Attribute;
-import javax.naming.directory.Attributes;
-import javax.naming.directory.BasicAttributes;
-import javax.naming.directory.SearchResult;
-import javax.naming.ldap.InitialLdapContext;
-import javax.security.auth.Subject;
-import javax.security.auth.callback.Callback;
-import javax.security.auth.callback.CallbackHandler;
-import javax.security.auth.callback.NameCallback;
-import javax.security.auth.callback.PasswordCallback;
-import javax.security.auth.callback.UnsupportedCallbackException;
-import javax.security.auth.login.FailedLoginException;
-import javax.security.auth.login.LoginException;
-import javax.security.auth.spi.LoginModule;
-
-import org.jboss.security.SimpleGroup;
-import org.jboss.security.SimplePrincipal;
-import org.jboss.security.auth.callback.ObjectCallback;
-import org.jboss.security.auth.spi.AbstractServerLoginModule;
-
-/** An implementation of LoginModule that authenticates against an LDAP server
-using JNDI based on the configuration properties.
-
-The LoginModule options include whatever options your LDAP JNDI provider
-support. Examples of standard property names are:
-Context.INITIAL_CONTEXT_FACTORY = "java.naming.factory.initial"
-Context.SECURITY_PROTOCOL = "java.naming.security.protocol"
-Context.PROVIDER_URL = "java.naming.provider.url"
-Context.SECURITY_AUTHENTICATION = "java.naming.security.authentication"
-
-The Context.SECURITY_PRINCIPAL is set to the distinguished name of the user
-as obtained by the callback handler and the Context.SECURITY_CREDENTIALS
-property is either set to the String password or Object credential depending
-on the useObjectCredential option.
-
-Additional module properties include:
-principalDNPrefix, principalDNSuffix : A prefix and suffix to add to the
- username when forming the user distiguished name. This is useful if you
- prompt a user for a username and you don't want them to have to enter the
- fully distinguished name. Using this property and principalDNSuffix the
- userDN will be formed as:
-<code>String userDN = principalDNPrefix + username + principalDNSuffix;</code>
-
-useObjectCredential : indicates that the credential should be obtained as
-an opaque Object using the org.jboss.security.plugins.ObjectCallback type
-of Callback rather than as a char[] password using a JAAS PasswordCallback.
-
-rolesCtxDN : The distinguished name to the context to search for user roles.
-roleAttributeName : The name of the attribute that contains the user roles
-uidAttributeName : The name of the attribute that in the object containing
- the user roles that corresponds to the userid. This is used to locate the
- user roles.
-
-A sample login config:
- testLdap {
- org.jboss.security.plugins.samples.LdapLoginModule required
- java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
- principalDNPrefix=uid=
- uidAttributeID=userid
- roleAttributeID=rolenames
- principalDNSuffix=,ou=People,o=displayscape.com
- rolesCtxDN=ou=Users,cn=Project1,ou=Projects,o=displayscape.com
- java.naming.provider.url=ldap://siren-int/
- java.naming.security.authentication=simple
- };
-
-@author [EMAIL PROTECTED]
-@version $Revision: 1.1 $
-*/
-public class LdapLoginModule extends AbstractServerLoginModule
-{
- private static final String USE_OBJECT_CREDENTIAL_OPT = "useObjectCredential";
- private static final String PRINCIPAL_DN_PREFIX_OPT = "principalDNPrefix";
- private static final String PRINCIPAL_DN_SUFFIX_OPT = "principalDNSuffix";
- private static final String ROLES_CTX_DN_OPT = "rolesCtxDN";
- private static final String UID_ATTRIBUTE_ID_OPT = "uidAttributeID";
- private static final String ROLE_ATTRIBUTE_ID_OPT = "roleAttributeID";
-
- public LdapLoginModule()
- {
- }
-
- private transient String username;
- private transient Object credential;
- private transient SimpleGroup userRoles = new SimpleGroup("Roles");
-
- public boolean login() throws javax.security.auth.login.LoginException
- {
- System.out.println("LdapLoginModule.login");
- if( super.login() == true )
- {
- // Use the shared username and password
- Object identity = sharedState.get("javax.security.auth.login.name");
- credential = sharedState.get("javax.security.auth.login.password");
- username = identity.toString();
- }
- else
- {
- // Use the callbackHander to get username and password
- getUsernamePassword();
- }
-
- // Validate the user & password by creating an LDAP initial context.
- try
- {
- createLdapInitContext();
- }
- catch(NamingException e)
- {
- throw new FailedLoginException(e.toString(true));
- }
- catch(Throwable t)
- {
- throw new FailedLoginException("Unexpected failure:
"+t.getMessage());
- }
- return true;
- }
-
- protected Principal getIdentity()
- {
- return new SimplePrincipal(username);
- }
- protected Group[] getRoleSets() throws LoginException
- {
- Group[] roleSets = {userRoles};
- return roleSets;
- }
-
- private void getUsernamePassword() throws LoginException
- {
- if( callbackHandler == null )
- throw new LoginException("Error: no CallbackHandler
available");
-
- NameCallback ncallback = new NameCallback("LdapLoginModule username:
");
- PasswordCallback pcallback = new PasswordCallback("LdapLoginModule
password: ", false);
- ObjectCallback ocallback = new ObjectCallback("LdapLoginModule credential:
");
- try
- {
- Object useObjectCred = options.get(USE_OBJECT_CREDENTIAL_OPT);
- if( useObjectCred == null ||
Boolean.valueOf(useObjectCred.toString()).booleanValue() == false )
- {
- Callback[] callbacks = {ncallback, pcallback};
- callbackHandler.handle(callbacks);
- char[] tmpPassword = pcallback.getPassword();
- credential = new String(tmpPassword);
- pcallback.clearPassword();
- }
- else
- {
- Callback[] callbacks = {ncallback, ocallback};
- callbackHandler.handle(callbacks);
- credential = ocallback.getCredential();
- }
- username = ncallback.getName();
- }
- catch(java.io.IOException ioe)
- {
- throw new LoginException(ioe.toString());
- }
- catch(UnsupportedCallbackException uce)
- {
- throw new LoginException("Error: " +
uce.getCallback().toString());
- }
- }
-
- private void createLdapInitContext() throws NamingException
- {
- Properties env = new Properties();
- // Map all option into the JNDI InitialLdapContext env
- Iterator iter = options.entrySet().iterator();
- while( iter.hasNext() )
- {
- Entry entry = (Entry) iter.next();
- env.put(entry.getKey(), entry.getValue());
- }
-
- // Set defaults for key values if they are missing
- String factoryName = env.getProperty(Context.INITIAL_CONTEXT_FACTORY);
- if( factoryName == null )
- {
- factoryName = "com.sun.jndi.ldap.LdapCtxFactory";
- env.setProperty(Context.INITIAL_CONTEXT_FACTORY, factoryName);
- }
- String authType = env.getProperty(Context.SECURITY_AUTHENTICATION);
- if( authType == null )
- env.setProperty(Context.SECURITY_AUTHENTICATION, "simple");
- String protocol = env.getProperty(Context.SECURITY_PROTOCOL);
- String providerURL = (String) options.get(Context.PROVIDER_URL);
- if( providerURL == null )
- providerURL = "ldap://localhost:"; + ((protocol != null &&
protocol.equals("ssl")) ? "389" : "636");
- String principalDNPrefix = (String)
options.get(PRINCIPAL_DN_PREFIX_OPT);
- if( principalDNPrefix == null )
- principalDNPrefix="";
- String principalDNSuffix = (String)
options.get(PRINCIPAL_DN_SUFFIX_OPT);
- if( principalDNSuffix == null )
- principalDNSuffix="";
- String userDN = principalDNPrefix + username + principalDNSuffix;
- env.setProperty(Context.PROVIDER_URL, providerURL);
- env.setProperty(Context.SECURITY_PRINCIPAL, userDN);
- env.put(Context.SECURITY_CREDENTIALS, credential);
- System.out.println("Logging into LDAP server, env="+env);
- InitialLdapContext ctx = new InitialLdapContext(env, null);
- System.out.println("Logged into LDAP server, "+ctx);
- // Query the user's roles...
- String rolesCtxDN = (String) options.get(ROLES_CTX_DN_OPT);
- if( rolesCtxDN != null )
- {
- String uidAttrName = (String) options.get(UID_ATTRIBUTE_ID_OPT);
- if( uidAttrName == null )
- uidAttrName = "uid";
- String roleAttrName = (String) options.get(ROLE_ATTRIBUTE_ID_OPT);
- if( roleAttrName == null )
- roleAttrName = "roles";
- BasicAttributes matchAttrs = new BasicAttributes(true);
- matchAttrs.put(uidAttrName, username);
- String[] roleAttr = {roleAttrName};
- try
- {
- NamingEnumeration answer = ctx.search(rolesCtxDN, matchAttrs,
roleAttr);
- while( answer.hasMore() )
- {
- SearchResult sr = (SearchResult) answer.next();
- Attributes attrs = sr.getAttributes();
- Attribute roles = attrs.get(roleAttrName);
- for(int r = 0; r < roles.size(); r ++)
- {
- Object value = roles.get(r);
- String roleName = value.toString();
- userRoles.addMember(new SimplePrincipal(roleName));
- }
- }
- }
- catch(NamingException e)
- {
- }
- }
- // Close the context to release the connection
- ctx.close();
- }
-}
+/*
+ * JBoss, the OpenSource EJB server
+ *
+ * Distributable under LGPL license.
+ * See terms of license at gnu.org.
+ */
+package org.jboss.security.auth.spi;
+
+import java.security.Principal;
+import java.security.acl.Group;
+import java.util.ArrayList;
+import java.util.Iterator;
+import java.util.Map;
+import java.util.Map.Entry;
+import java.util.Properties;
+import javax.naming.Context;
+import javax.naming.NamingEnumeration;
+import javax.naming.NamingException;
+import javax.naming.directory.Attribute;
+import javax.naming.directory.Attributes;
+import javax.naming.directory.BasicAttributes;
+import javax.naming.directory.SearchResult;
+import javax.naming.ldap.InitialLdapContext;
+import javax.security.auth.Subject;
+import javax.security.auth.callback.Callback;
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.callback.NameCallback;
+import javax.security.auth.callback.PasswordCallback;
+import javax.security.auth.callback.UnsupportedCallbackException;
+import javax.security.auth.login.FailedLoginException;
+import javax.security.auth.login.LoginException;
+import javax.security.auth.spi.LoginModule;
+
+import org.jboss.security.SimpleGroup;
+import org.jboss.security.SimplePrincipal;
+import org.jboss.security.auth.callback.ObjectCallback;
+import org.jboss.security.auth.spi.UsernamePasswordLoginModule;
+
+/** An implementation of LoginModule that authenticates against an LDAP server
+ using JNDI based on the configuration properties.
+
+ The LoginModule options include whatever options your LDAP JNDI provider
+ support. Examples of standard property names are:
+ Context.INITIAL_CONTEXT_FACTORY = "java.naming.factory.initial"
+ Context.SECURITY_PROTOCOL = "java.naming.security.protocol"
+ Context.PROVIDER_URL = "java.naming.provider.url"
+ Context.SECURITY_AUTHENTICATION = "java.naming.security.authentication"
+
+ The Context.SECURITY_PRINCIPAL is set to the distinguished name of the user
+ as obtained by the callback handler and the Context.SECURITY_CREDENTIALS
+ property is either set to the String password or Object credential depending
+ on the useObjectCredential option.
+
+ Additional module properties include:
+ principalDNPrefix, principalDNSuffix : A prefix and suffix to add to the
+ username when forming the user distiguished name. This is useful if you
+ prompt a user for a username and you don't want them to have to enter the
+ fully distinguished name. Using this property and principalDNSuffix the
+ userDN will be formed as:
+ <code>String userDN = principalDNPrefix + username + principalDNSuffix;</code>
+
+ useObjectCredential : indicates that the credential should be obtained as
+ an opaque Object using the org.jboss.security.plugins.ObjectCallback type
+ of Callback rather than as a char[] password using a JAAS PasswordCallback.
+
+ rolesCtxDN : The distinguished name to the context to search for user roles.
+ roleAttributeName : The name of the attribute that contains the user roles
+ uidAttributeName : The name of the attribute that in the object containing
+ the user roles that corresponds to the userid. This is used to locate the
+ user roles.
+
+ A sample login config:
+ testLdap {
+ org.jboss.security.plugins.samples.LdapLoginModule required
+ java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
+ principalDNPrefix=uid=
+ uidAttributeID=userid
+ roleAttributeID=rolenames
+ principalDNSuffix=,ou=People,o=displayscape.com
+ rolesCtxDN=ou=Users,cn=Project1,ou=Projects,o=displayscape.com
+ java.naming.provider.url=ldap://siren-int/
+ java.naming.security.authentication=simple
+ };
+
+ @author [EMAIL PROTECTED]
+ @version $Revision: 1.1.4.1 $
+ */
+public class LdapLoginModule extends UsernamePasswordLoginModule
+{
+ private static final String USE_OBJECT_CREDENTIAL_OPT = "useObjectCredential";
+ private static final String PRINCIPAL_DN_PREFIX_OPT = "principalDNPrefix";
+ private static final String PRINCIPAL_DN_SUFFIX_OPT = "principalDNSuffix";
+ private static final String ROLES_CTX_DN_OPT = "rolesCtxDN";
+ private static final String UID_ATTRIBUTE_ID_OPT = "uidAttributeID";
+ private static final String ROLE_ATTRIBUTE_ID_OPT = "roleAttributeID";
+
+ public LdapLoginModule()
+ {
+ }
+
+ private transient SimpleGroup userRoles = new SimpleGroup("Roles");
+
+ /** Overriden to return an empty password string as typically one cannot
+ obtain a user's password. We also override the validatePassword so
+ this is ok.
+ @return and empty password String
+ */
+ protected String getUsersPassword() throws LoginException
+ {
+ return "";
+ }
+ /** Overriden by subclasses to return the Groups that correspond to the
+ to the role sets assigned to the user. Subclasses should create at
+ least a Group named "Roles" that contains the roles assigned to the user.
+ A second common group is "CallerPrincipal" that provides the application
+ identity of the user rather than the security domain identity.
+ @return Group[] containing the sets of roles
+ */
+ protected Group[] getRoleSets() throws LoginException
+ {
+ Group[] roleSets = {userRoles};
+ return roleSets;
+ }
+
+ protected boolean validatePassword(String inputPassword, String expectedPassword)
+ {
+ boolean isValid = false;
+ if( inputPassword != null )
+ {
+ try
+ {
+ // Validate the password by trying to create an initial context
+ String username = getUsername();
+ createLdapInitContext(username, inputPassword);
+ }
+ catch(NamingException e)
+ {
+ e.printStackTrace();
+ }
+ }
+ return isValid;
+ }
+
+ private void createLdapInitContext(String username, Object credential) throws
NamingException
+ {
+ Properties env = new Properties();
+ // Map all option into the JNDI InitialLdapContext env
+ Iterator iter = options.entrySet().iterator();
+ while( iter.hasNext() )
+ {
+ Entry entry = (Entry) iter.next();
+ env.put(entry.getKey(), entry.getValue());
+ }
+
+ // Set defaults for key values if they are missing
+ String factoryName = env.getProperty(Context.INITIAL_CONTEXT_FACTORY);
+ if( factoryName == null )
+ {
+ factoryName = "com.sun.jndi.ldap.LdapCtxFactory";
+ env.setProperty(Context.INITIAL_CONTEXT_FACTORY, factoryName);
+ }
+ String authType = env.getProperty(Context.SECURITY_AUTHENTICATION);
+ if( authType == null )
+ env.setProperty(Context.SECURITY_AUTHENTICATION, "simple");
+ String protocol = env.getProperty(Context.SECURITY_PROTOCOL);
+ String providerURL = (String) options.get(Context.PROVIDER_URL);
+ if( providerURL == null )
+ providerURL = "ldap://localhost:"; + ((protocol != null &&
protocol.equals("ssl")) ? "389" : "636");
+
+ String principalDNPrefix = (String) options.get(PRINCIPAL_DN_PREFIX_OPT);
+ if( principalDNPrefix == null )
+ principalDNPrefix="";
+ String principalDNSuffix = (String) options.get(PRINCIPAL_DN_SUFFIX_OPT);
+ if( principalDNSuffix == null )
+ principalDNSuffix="";
+ String userDN = principalDNPrefix + username + principalDNSuffix;
+ env.setProperty(Context.PROVIDER_URL, providerURL);
+ env.setProperty(Context.SECURITY_PRINCIPAL, userDN);
+ env.put(Context.SECURITY_CREDENTIALS, credential);
+ System.out.println("Logging into LDAP server, env="+env);
+ InitialLdapContext ctx = new InitialLdapContext(env, null);
+ System.out.println("Logged into LDAP server, "+ctx);
+ // Query the user's roles...
+ String rolesCtxDN = (String) options.get(ROLES_CTX_DN_OPT);
+ if( rolesCtxDN != null )
+ {
+ String uidAttrName = (String) options.get(UID_ATTRIBUTE_ID_OPT);
+ if( uidAttrName == null )
+ uidAttrName = "uid";
+ String roleAttrName = (String) options.get(ROLE_ATTRIBUTE_ID_OPT);
+ if( roleAttrName == null )
+ roleAttrName = "roles";
+ BasicAttributes matchAttrs = new BasicAttributes(true);
+ matchAttrs.put(uidAttrName, username);
+ String[] roleAttr =
+ {roleAttrName};
+ try
+ {
+ NamingEnumeration answer = ctx.search(rolesCtxDN, matchAttrs, roleAttr);
+ while( answer.hasMore() )
+ {
+ SearchResult sr = (SearchResult) answer.next();
+ Attributes attrs = sr.getAttributes();
+ Attribute roles = attrs.get(roleAttrName);
+ for(int r = 0; r < roles.size(); r ++)
+ {
+ Object value = roles.get(r);
+ String roleName = value.toString();
+ userRoles.addMember(new SimplePrincipal(roleName));
+ }
+ }
+ }
+ catch(NamingException e)
+ {
+ }
+ }
+ // Close the context to release the connection
+ ctx.close();
+ }
+}
1.3.4.1 +204 -178
jbosssx/src/main/org/jboss/security/auth/spi/UsernamePasswordLoginModule.java
Index: UsernamePasswordLoginModule.java
===================================================================
RCS file:
/cvsroot/jboss/jbosssx/src/main/org/jboss/security/auth/spi/UsernamePasswordLoginModule.java,v
retrieving revision 1.3
retrieving revision 1.3.4.1
diff -u -r1.3 -r1.3.4.1
--- UsernamePasswordLoginModule.java 2001/05/30 12:23:25 1.3
+++ UsernamePasswordLoginModule.java 2001/07/09 08:49:37 1.3.4.1
@@ -1,178 +1,204 @@
-/*
- * JBoss, the OpenSource EJB server
- *
- * Distributable under LGPL license.
- * See terms of license at gnu.org.
- */
-package org.jboss.security.auth.spi;
-
-import java.io.IOException;
-import java.util.ArrayList;
-import java.util.Enumeration;
-import java.security.Principal;
-import java.security.acl.Group;
-import javax.security.auth.Subject;
-import javax.security.auth.callback.Callback;
-import javax.security.auth.callback.CallbackHandler;
-import javax.security.auth.callback.NameCallback;
-import javax.security.auth.callback.PasswordCallback;
-import javax.security.auth.callback.UnsupportedCallbackException;
-import javax.security.auth.login.LoginException;
-import javax.security.auth.login.FailedLoginException;
-import javax.security.auth.spi.LoginModule;
-
-import org.jboss.security.SimpleGroup;
-import org.jboss.security.SimplePrincipal;
-import org.jboss.security.auth.spi.AbstractServerLoginModule;
-
-
-/** An abstract subclass of AbstractServerLoginModule that imposes a
-an identity == String username, credentials == String password view on
-the login process. Subclasses override the getUsersPassword()
-and getUsersRoles() methods to return the expected password and roles
-for the user.
-
-@see #getUsername()
-@see #getUsersPassword()
-@see #getUsersRoles()
-
-@author [EMAIL PROTECTED]
-@version $Revision: 1.3 $
-*/
-public abstract class UsernamePasswordLoginModule extends AbstractServerLoginModule
-{
- /** The login identity */
- private Principal identity;
- /** The proof of login identity */
- private char[] credential;
-
- /**
- */
- public boolean login() throws LoginException
- {
- // See if shared credentials exist
- if( super.login() == true )
- {
- // Setup our view of the user
- Object username = sharedState.get("javax.security.auth.login.name");
- if( username instanceof Principal )
- identity = (Principal) username;
- else
- {
- String name = username.toString();
- identity = new SimplePrincipal(name);
- }
- Object password = sharedState.get("javax.security.auth.login.password");
- if( password instanceof char[] )
- credential = (char[]) password;
- else
- {
- String tmp = password.toString();
- credential = tmp.toCharArray();
- }
- return true;
- }
-
- String[] info = getUsernameAndPassword();
- String username = info[0];
- String password = info[1];
- identity = new SimplePrincipal(username);
-
- // Validate the password supplied by the subclass
- String expectedPassword = getUsersPassword();
- if( validatePassword(password, expectedPassword) == false )
- {
- System.out.println("Bad password for username="+username);
- throw new FailedLoginException("Password Incorrect/Password Required");
- }
- System.out.print("User '" + username + "' authenticated.\n");
-
- if( getUseFirstPass() == true )
- { // Add the username and password to the shared state map
- sharedState.put("javax.security.auth.login.name", username);
- sharedState.put("javax.security.auth.login.password", credential);
- }
- return true;
- }
-
- protected Principal getIdentity()
- {
- return identity;
- }
-
- protected Object getCredentials()
- {
- return credential;
- }
- protected String getUsername()
- {
- return getIdentity().getName();
- }
-
- /** Called by login() to acquire the username and password strings for
- authentication. This method does no validation of either.
- @return String[], [0] = username, [1] = password
- @exception LoginException thrown if CallbackHandler is not set or fails.
- */
- protected String[] getUsernameAndPassword() throws LoginException
- {
- String[] info = {null, null};
- // prompt for a username and password
- if( callbackHandler == null )
- {
- throw new LoginException("Error: no CallbackHandler available " +
- "to garner authentication information from the
user");
- }
- NameCallback nc = new NameCallback("User name: ", "guest");
- PasswordCallback pc = new PasswordCallback("Password: ", false);
- Callback[] callbacks = {nc, pc};
- String username = null;
- String password = null;
- try
- {
- callbackHandler.handle(callbacks);
- username = nc.getName();
- char[] tmpPassword = pc.getPassword();
- if( tmpPassword != null )
- {
- credential = new char[tmpPassword.length];
- System.arraycopy(tmpPassword, 0, credential, 0, tmpPassword.length);
- pc.clearPassword();
- password = new String(credential);
- }
- }
- catch(java.io.IOException ioe)
- {
- throw new LoginException(ioe.toString());
- }
- catch(UnsupportedCallbackException uce)
- {
- throw new LoginException("CallbackHandler does not support: " +
uce.getCallback());
- }
- info[0] = username;
- info[1] = password;
- return info;
- }
-
- /** A hook that allows subclasses to change the validation of the input
- password against the expected password. This version checks that
- neither inputPassword or expectedPassword are null that that
- inputPassword.equals(expectedPassword) is true;
- @return true if the inputPassword is valid, false otherwise.
- */
- protected boolean validatePassword(String inputPassword, String
expectedPassword)
- {
- if( inputPassword == null || expectedPassword == null )
- return false;
- return inputPassword.equals(expectedPassword);
- }
-
- /** Get the expected password for the current username available via
- the getUsername() method. This is called from within the login()
- method after the CallbackHandler has returned the username and
- candidate password.
- @return the valid password String
- */
- abstract protected String getUsersPassword() throws LoginException;
-
-}
+/*
+ * JBoss, the OpenSource EJB server
+ *
+ * Distributable under LGPL license.
+ * See terms of license at gnu.org.
+ */
+package org.jboss.security.auth.spi;
+
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.Enumeration;
+import java.util.Map;
+import java.security.Principal;
+import java.security.acl.Group;
+import javax.security.auth.Subject;
+import javax.security.auth.callback.Callback;
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.callback.NameCallback;
+import javax.security.auth.callback.PasswordCallback;
+import javax.security.auth.callback.UnsupportedCallbackException;
+import javax.security.auth.login.LoginException;
+import javax.security.auth.login.FailedLoginException;
+import javax.security.auth.spi.LoginModule;
+
+import org.jboss.security.SimpleGroup;
+import org.jboss.security.SimplePrincipal;
+import org.jboss.security.auth.spi.AbstractServerLoginModule;
+
+
+/** An abstract subclass of AbstractServerLoginModule that imposes a
+ an identity == String username, credentials == String password view on
+ the login process. Subclasses override the getUsersPassword()
+ and getUsersRoles() methods to return the expected password and roles
+ for the user.
+
+ @see #getUsername()
+ @see #getUsersPassword()
+ @see #getUsersRoles()
+
+ @author [EMAIL PROTECTED]
+ @version $Revision: 1.3.4.1 $
+ */
+public abstract class UsernamePasswordLoginModule extends AbstractServerLoginModule
+{
+ /** The login identity */
+ private Principal identity;
+ /** The proof of login identity */
+ private char[] credential;
+ /** the principal to use when a null username and password are seen */
+ private Principal unauthenticatedIdentity;
+
+ /** Override the superclass method to look for a unauthenticatedIdentity
+ property. This method first invokes the super version.
+ @param options,
+ @option unauthenticatedIdentity: the name of the principal to asssign
+ and authenticate when a null username and password are seen.
+ */
+ public void initialize(Subject subject, CallbackHandler callbackHandler, Map
sharedState, Map options)
+ {
+ super.initialize(subject, callbackHandler, sharedState, options);
+ // Check for unauthenticatedIdentity option.
+ String name = (String) options.get("unauthenticatedIdentity");
+ if( name != null )
+ unauthenticatedIdentity = new SimplePrincipal(name);
+ }
+
+ /**
+ */
+ public boolean login() throws LoginException
+ {
+ // See if shared credentials exist
+ if( super.login() == true )
+ {
+ // Setup our view of the user
+ Object username = sharedState.get("javax.security.auth.login.name");
+ if( username instanceof Principal )
+ identity = (Principal) username;
+ else
+ {
+ String name = username.toString();
+ identity = new SimplePrincipal(name);
+ }
+ Object password = sharedState.get("javax.security.auth.login.password");
+ if( password instanceof char[] )
+ credential = (char[]) password;
+ else if( password != null )
+ {
+ String tmp = password.toString();
+ credential = tmp.toCharArray();
+ }
+ return true;
+ }
+
+ String[] info = getUsernameAndPassword();
+ String username = info[0];
+ String password = info[1];
+ if( username == null && password == null )
+ identity = unauthenticatedIdentity;
+ if( identity == null )
+ {
+ identity = new SimplePrincipal(username);
+ // Validate the password supplied by the subclass
+ String expectedPassword = getUsersPassword();
+ if( validatePassword(password, expectedPassword) == false )
+ {
+ System.out.println("Bad password for username="+username);
+ throw new FailedLoginException("Password Incorrect/Password Required");
+ }
+ }
+ System.out.print("User '" + username + "' authenticated.\n");
+
+ if( getUseFirstPass() == true )
+ { // Add the username and password to the shared state map
+ sharedState.put("javax.security.auth.login.name", username);
+ sharedState.put("javax.security.auth.login.password", credential);
+ }
+ return true;
+ }
+
+ protected Principal getIdentity()
+ {
+ return identity;
+ }
+ protected Principal getUnauthenticatedIdentity()
+ {
+ return unauthenticatedIdentity;
+ }
+
+ protected Object getCredentials()
+ {
+ return credential;
+ }
+ protected String getUsername()
+ {
+ return getIdentity().getName();
+ }
+
+ /** Called by login() to acquire the username and password strings for
+ authentication. This method does no validation of either.
+ @return String[], [0] = username, [1] = password
+ @exception LoginException thrown if CallbackHandler is not set or fails.
+ */
+ protected String[] getUsernameAndPassword() throws LoginException
+ {
+ String[] info = {null, null};
+ // prompt for a username and password
+ if( callbackHandler == null )
+ {
+ throw new LoginException("Error: no CallbackHandler available " +
+ "to collect authentication information");
+ }
+ NameCallback nc = new NameCallback("User name: ", "guest");
+ PasswordCallback pc = new PasswordCallback("Password: ", false);
+ Callback[] callbacks = {nc, pc};
+ String username = null;
+ String password = null;
+ try
+ {
+ callbackHandler.handle(callbacks);
+ username = nc.getName();
+ char[] tmpPassword = pc.getPassword();
+ if( tmpPassword != null )
+ {
+ credential = new char[tmpPassword.length];
+ System.arraycopy(tmpPassword, 0, credential, 0, tmpPassword.length);
+ pc.clearPassword();
+ password = new String(credential);
+ }
+ }
+ catch(java.io.IOException ioe)
+ {
+ throw new LoginException(ioe.toString());
+ }
+ catch(UnsupportedCallbackException uce)
+ {
+ throw new LoginException("CallbackHandler does not support: " +
uce.getCallback());
+ }
+ info[0] = username;
+ info[1] = password;
+ return info;
+ }
+
+ /** A hook that allows subclasses to change the validation of the input
+ password against the expected password. This version checks that
+ neither inputPassword or expectedPassword are null that that
+ inputPassword.equals(expectedPassword) is true;
+ @return true if the inputPassword is valid, false otherwise.
+ */
+ protected boolean validatePassword(String inputPassword, String expectedPassword)
+ {
+ if( inputPassword == null || expectedPassword == null )
+ return false;
+ return inputPassword.equals(expectedPassword);
+ }
+
+ /** Get the expected password for the current username available via
+ the getUsername() method. This is called from within the login()
+ method after the CallbackHandler has returned the username and
+ candidate password.
+ @return the valid password String
+ */
+ abstract protected String getUsersPassword() throws LoginException;
+
+}
No revision
No revision
1.1.2.1 +43 -0
jbosssx/src/main/org/jboss/security/auth/spi/Attic/AnonLoginModule.java
_______________________________________________
Jboss-development mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/jboss-development
